| Age | Commit message (Collapse) | Author |
|---|
|
for RSA key generation to 512 bits. Document that minimum.
|
|
|
|
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
|
|
Makes code more robust and reduces differences with OpenSSL.
ok inoguchi@
|
|
exponent.
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
Assign and test, explicitly test against NULL and use calloc() rather than
malloc.
ok inoguchi@
|
|
ok inoguchi@
|
|
This is inside !(defined(__amd64__) || defined(__i386__)),
while the file is only used on those two architectures.
"Free commit! No strings attached! No hidden tricks!" from miod
|
|
Write the documentation from scratch.
|
|
and EVP_PKEY_CTX_*_ecdh_*(3); from Antoine Salon <asalon at vmware dot com>
via OpenSSL commit 87103969 Oct 1 14:11:57 2018 -0700
from the OpenSSL 1.1.1 branch, which is still under a free license
|
|
and EVP_PKEY_CTX_get1_id_len(3), but make it sound more like English text;
from Paul Yang via OpenSSL commit f922dac8 Sep 6 10:36:11 2018 +0800
from the OpenSSL 1.1.1 branch, which is still under a free license
|
|
from Stephen Henson via OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000
|
|
|
|
|
|
|
|
This syncs the RSA OAEP code with OpenSSL 1.1.1d, correctly handling OAEP
padding and providing various OAEP related controls.
ok inoguchi@ tb@
|
|
This handles controls with a message digest by name, looks up the message
digest and then proxies the control through with the EVP_MD *.
This is internal only for now and will be used in upcoming RSA related
changes.
Based on OpenSSL 1.1.1d.
ok inoguchi@ tb@
|
|
|
|
PLT entries and prevent overriding
ok kettenis@ deraadt@
|
|
by the ASM stub, which is also in libc. The compiler only generates
invocations of the latter.
ok mpi@ deraadt@ kettenis@
|
|
ok tb@
|
|
ober_add_string.3 and as it was before the ber -> ober rename.
|
|
These are internal only for now.
Based on OpenSSL 1.1.1d.
ok inoguchi@
|
|
For now these are internal only.
From OpenSSL 1.1.1d.
ok inoguchi@
|
|
and symbol addition.
|
|
This will be used by upcoming RSA-PSS code.
ok tb@
|
|
This will be soon used as an optimisation and reduces the differences
between OpenSSL.
ok tb@
|
|
This is a wrapper around EVP_PKEY_CTX_ctrl() which requires the key to be
either RSA or RSA-PSS.
From OpenSSL 1.1.1d.
ok tb@
|
|
ok tb@
|
|
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.
Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.
tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt
|
|
the uvm_map lookup overhead"). This causes hangs with Python, seen easily
by trying to build ports/graphics/py-Pillow.
|
|
Diff from eric@ and florian@, commiting on their behalf since they are absent
and we want to ride the minor shlib bump.
|
|
ok deraadt@
|
|
Allows us to determine how long a process has been running, even if the
UTC clock jumps.
With help from bluhm@ and millert@, who squashed several bugs.
ok bluhm@ millert@
|
|
While here kill unused _wait() function.
ok visa@
|
|
ok visa@
|
|
and return an error instead. may prevent some unset/missing confusion.
ok deraadt millert
|
|
Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).
This brings in code to make the padding check constant time.
ok inoguchi@ tb@
|
|
the top of the error stack in constant time.
This will be used by upcoming RSA changes.
From OpenSSL 1.1.1d.
ok inoguchi@ tb@
|
|
|
|
|
|
conditionals, now that this code handles arbitrary message digests.
ok inoguchi@ tb@
|
|
|
|
and skip 'protected' symbols when identifying which functions will be
subjects of lazy resolution
|
|
so that we can operate on libs from other archs
|
|
(Note that the CMS code is currently disabled.)
Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license)
tests from bluhm@
ok jsing
commit e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
Author: Bernd Edlinger <bernd.edlinger@hotmail.de>
Date: Sun Sep 1 00:16:28 2019 +0200
Fix a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9777)
(cherry picked from commit 5840ed0cd1e6487d247efbc1a04136a41d7b3a37)
|
|
The recent EC group cofactor change results in stricter validation,
which causes the EC_GROUP_set_generator() call to fail.
Issue reported and fix tested by rsadowski@
ok tb@
|
|
These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.
ok tb@ inoguchi@ (as part of a larger diff)
|
